Data breakdown at the Corona test center

Getting tested for infection with the Covid 19 virus is becoming almost commonplace for more and more people. In many places, testing centers have been set up where this can be done quickly and usually even free of charge.

Visitors usually receive an access code at the end of the test, which they can use to view their test result online or print out a confirmation after a certain period of time. In many places, these are requested before entering certain stores, for example. This means that there is hardly any way around going to a test center and taking your test there. personal data to specify.

The online presence of some test centers has repeatedly suffered IT breakdowns, with data from those tested being available to everyone. These were not only personal data such as name, date of birth, address and telephone number, but also the respective test results, which as health data fall under the special protection of Art. 9 I GDPR.

Current examples

It was not only in March 2021 that security researchers discovered that coronavirus test centers in Germany and Austria were inadequately protected (the name, address, date of birth, citizenship, coronavirus test result and, in some cases, ID card data of more than 80,000 people were exposed). People openly accessible), but even recently it was still possible to view corresponding data from over 14,000 tested persons from centers in Hamburg, Berlin, Leipzig and Schwerte.

So the problem is still relevant.

Reasons for the data mishaps

But where exactly were the errors that made such data mishaps possible in the first place?

More than 100 test centers had unprotected interfaces to websites and web applications that customers could use to register for a test and check their results. Not only were these interfaces of the affected test centers inadequately secured, but by changing the last digit of their assigned customer identification number to view their result, even lay computer users were able to view the result and other information. personal data of other customers. To prevent this, so-called UUIDs and complex hash values (results) can be used in the programming.

In addition, it is said to have been possible to view online, in part via each customer account, in which test center who was being tested and when, and what the result was.

Consequences

Fines were imposed on the individual operators, as also provided for by the GDPR. However, voices were quickly raised that the authorities lacked the necessary severity in taking action against such data breaches.

The affected operators, who were required to report these data breaches, testified that the vulnerabilities have since been fixed.

But it is foreseeable that with regard to the volumes of data collected in connection with Corona, further digitization deficiencies will be revealed in the future.